Skip to content

fix: [CI-21415]: remediate CVE-2025-15558 - upgrade base image to docker:29.3.0-dind#92

Open
vinayakharness2026 wants to merge 1 commit intodrone-plugins:masterfrom
vinayakharness2026:fix/CI-21415-vuln-remediation-20260306
Open

fix: [CI-21415]: remediate CVE-2025-15558 - upgrade base image to docker:29.3.0-dind#92
vinayakharness2026 wants to merge 1 commit intodrone-plugins:masterfrom
vinayakharness2026:fix/CI-21415-vuln-remediation-20260306

Conversation

@vinayakharness2026
Copy link

@vinayakharness2026 vinayakharness2026 commented Mar 6, 2026
edited by atlassian bot
Loading

Vulnerability Remediation: plugins/buildx:1.3.15

JIRA: CI-21415
Test image scanned: vinayakharness/buildx-test:buildx-1.3.16--debug
Scanner: Prisma Cloud (Twistlock) via Harness STO

OnDemand Scan Results

Scan Image Link
Baseline (before) plugins/buildx:1.3.15 View scan
Test (after) vinayakharness/buildx-test:buildx-1.3.16--debug View scan

Vulnerability Delta

Severity Before (1.3.15) After (buildx-1.3.16--debug) Change
Critical 3 0 -3
High 16 2 -14
Medium 15 3 -12
Low 5 0 -5
Total 46 6 -40 (87% reduction)

CVE Status

CVE Package Before After Required Status Reason
CVE-2025-15558 github.com/docker/cli v28.0.4 v29.3.0 v29.2.0+ Resolved Base image upgraded to docker:29.3.0-dind

Changes Made

File Change
docker/docker/Dockerfile.linux.amd64 docker:28.1.1-dind -> docker:29.3.0-dind
docker/docker/Dockerfile.linux.arm64 arm64v8/docker:28.1.1-dind -> arm64v8/docker:29.3.0-dind
docker/docker/Dockerfile.linux.amd64 buildx binary v0.23.0 -> v0.32.1
docker/docker/Dockerfile.linux.arm64 buildx binary v0.23.0 -> v0.32.1

Warning

Major version upgrade included - sanity testing required

The base image was upgraded across a major version boundary (docker:28 -> docker:29) which may contain breaking changes.

Before merging, please:

  1. Deploy the new image to a QA or staging environment
  2. Run the full CI pipeline sanity suite against it
  3. Verify plugin-specific behaviour (build outputs, caching, auth flows, DinD socket) is unchanged
  4. Check the Docker 29.x changelog for breaking changes before approving

@vinayakharness2026
fix: [CI-21415]: remediate CVE-2025-15558 in plugins/buildx
2b913b7 
Upgrade base image from docker:28.1.1-dind to docker:29.3.0-dind to
resolve CVE-2025-15558 (github.com/docker/cli@v28.0.4, fixed in v29.2.0).

Also upgrade bundled buildx binary from v0.23.0 to v0.32.1.

Vulnerability delta (scanned via Harness STO / Prisma Cloud):
  Critical: 3 → 0  (-3)
  High:    16 → 2  (-14)
  Medium:  15 → 3  (-12)
  Low:      5 → 0  (-5)
  Total:   46 → 6  (-40, 87% reduction)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vinayakharness2026